Saturday, 26 May 2007

rtf malware spam

This seems to be a new formatted malware spam going around, along the same lines as the "Better Business Bureau targeted malware spam" that SANS reported today.

Here's a screenshot from the new style spam:















If you go to the top level directory of the domain that's hosting the file, you can see an open directory:
















What's interesting is the date of the actual "bad" RTF file, 9th May 2007... so as it's been there a while now, let see how the Anti-Virus scanners coped:

Complete scanning result of "superpages.rtf", received in VirusTotal at 05.26.2007, 08:23:20 (CET).

AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 no virus found
Authentium 4.93.8 05.23.2007 Possibly a new variant of W32/CrazyCrunch-based!Maximus
Avast 4.7.997.0 05.25.2007 no virus found
AVG 7.5.0.467 05.25.2007 no virus found
BitDefender 7.2 05.26.2007 Trojan.Spy.Agent.NDQ
CAT-QuickHeal 9.00 05.25.2007 no virus found
ClamAV devel-20070416 05.25.2007 no virus found
DrWeb 4.33 05.25.2007 no virus found
eSafe 7.0.15.0 05.24.2007 no virus found
eTrust-Vet 30.7.3665 05.26.2007 no virus found
Ewido 4.0 05.25.2007 no virus found
FileAdvisor 1 05.26.2007 no virus found
Fortinet 2.85.0.0 05.26.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 W32/CrazyCrunch-based!Maximus
Ikarus T3.1.1.8 05.26.2007 no virus found
Kaspersky 4.0.2.24 05.26.2007 Trojan-Spy.Win32.Delf.jq
McAfee 5039 05.25.2007 no virus found
Microsoft 1.2503 05.26.2007 TrojanSpy:Win32/Logsnif.gen
NOD32v2 2292 05.25.2007 no virus found
Norman 5.80.02 05.25.2007 no virus found
Panda 9.0.0.4 05.25.2007 Trj/Passtealer.DE
Prevx1 V2 05.26.2007 no virus found
Sophos 4.18.0 05.25.2007 Troj/Agent-FPG
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.26.2007 no virus found
TheHacker 6.1.6.123 05.25.2007 no virus found
VBA32 3.12.0 05.26.2007 suspected of Malware.Delf.43
VirusBuster 4.3.23:9 05.25.2007 no virus found
Webwasher-Gateway 6.0.1 05.26.2007 Trojan.Spy.Delf.JQ.112 (suspicious)

Aditional Information
File size: 157686 bytes
MD5: d948f4b41be0aee7b3bd292e33082313
SHA1: 5e4f9655effbcb7ff8f03f05a6a4f778bf9a54f6
packers: UPX
packers: UPX, BINARYRES, UPX
packers: UPX
Hopefully this will improve now that VirusTotal have the file. Until then... I've added a simple detection for this new type: Html.Malware.Sanesecurity.07052600

Thursday, 24 May 2007

OpenDNS

OpenDNS.... maybe you've heard of it... but it's so easy to setup... and free... try it :)

OpenDNS replaces your ISP's dns servers... but with one important improvement... OpenDNS will warn you if a site or link you have just clicked on... is a known phishing site!

Use it as a backup to the normal FireFox/IE phishing toolbar plugins.

More info here

Another mailto eBay phish

Here's a genuine looking eBay phishing attempt that came in today. As you can see all the links point back to the genuine eBay site:















It's only when you view the source code that you notice that something doesn't seem right with this email. You can see that if you did try and login to eBay directly from this email, your eBay login details would be kindly sent to seflab...@yahoo.com via the mailto server mailhost.dglnet.com.br:




So, lets take a look at mailhost.dglnet.com.br. Well, looks like they are running squirrelmail but let's checkout the version number.... hmmm... v1.4.4:









Let's go to the main squirrelmail site and see what version is the current one. Well, the latest one is:

SquirrelMail 1.4.10a Released
May 09, 2007 by Thijs Kinkhorst

The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.10a.

The 1.4.10 release contains multiple fixes for cross site scripting issues triggered by viewing HTML mail. Besides that it contains bug fixes and stability enhancements


The version before that looks something like this changelog wise:













Are the any problems with running older versions... yep... just a few!

So, looks like keeping webmail software up to date is a must.

Tuesday, 22 May 2007

News Update

Just a quick news update:
  • Thanks to Internet Solutions we now have another mirror, live from South Africa
  • Thanks to FreeForm Technologies we now have another mirror
  • Thanks to Geekeffect there is now another download mirror
So, just a reminder, the new download urls are:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

Quote of the day: Isn't smooth peanut butter for the timid and the weak? (happyslip.com)

Monday, 21 May 2007

Signatures added in May...

I knew this month... things seem to have jumped in the number of new phishing/scam emails. So I thought I'd just have a very quick look at how many sigs I'd actually done in May (so far) and compare with how many I'd done in the while of April:

May (so far):

phish.ndb.gz: 296 new sigs
scam.ndb.gz: 539 new sigs

April:

phish.ndb.gz: 139 new sigs
scam.ndb.gz: 377 new sigs

No wonder my fingers ache :(

Friday, 18 May 2007

New type of Fake BlueMountain eCard

Here's a new type of fake eCard. Normally you can spot them a mile away, as they have links to exe/scr/pif files. when you hover your mouse of the link.

This one however, this one doesn't have any of the above type... just a genuine looking attach dll filename, which would make sense as it's an attachment:















However, if you do click on the link, you are asked to download a file called FlashPlayer_eCard.exe, which again you might think it okay... as the above email does suggest that you might have to use Macromedia Flash Plug-in.

But submitting the file to VirusTotal, well... not good:














Bancos family malware are usually password-stealing Trojans which can also downloads code.

Thursday, 17 May 2007

example phish hosted by home user?

Here's the fake screen that you get when you click on one particular phishing email:















What's interesting is that static address, which indicates a possible broadband hosted, static ip address website. Visiting the top level, you get a nice "hello world" type website. As you can see it's using PHPTriad which is an installer of Apache, MySQL and PHP for Windows.















So, did this user knowingly host a phishing site using PHPTriad... or was this software installed using a trojan, without the users knowledge?

Wednesday, 16 May 2007

Posteitaliane Phish: under the hood

Here's an example phish that arrived today:















The clickable link, wants to go to a formlogin.txt, as you can see below, yep... that's a dot txt extension !






Here's the interesting bit of the formlogin.txt file, yep... if you'd typed in your banking details, you'd be now sending them to the nice phisher, who seems to like his 007 yahoo address:










Here's the timestamps when all the fake files were created, as you can see, if you look back at the time/date of the original phishing email, the emails were sent out to people very quickly :(














And finally... here's the web gateway that was used to send the banking details to the yahoo email adress:

Ebay phish in different email clients

I've been asked why an Ebay phish was detected, even though it doesn't seem to re-direct to a fake site. This reason for this could be a false positive... but having looked at the example, it's not a false positive... but a difference in email clients.

Here's the Ebay phishing attempt:

Outlook Express:















Thunderbird:















You can see already a slight difference between the clients. If you look at the link bar at the bottom, one seems to go to ebay.com and the other to signin.ebay.com

If you click on the link in Outlook Express, you are taken to the fake page (which FireFox knows is a fake). You can see in the browser url that the site is fake, i.e.: h-sohbi.com









If you click on the link in Thunderbird, you get taken to the genuine Ebay page:
















Huh? Taking a closer look at the phishing code, you can see the phisher has kindly labeled the ID as SPOOF:




So, looks like this code renders differently between Outlook Express and Thunderbird, so that's why you get taken to two different sites depending on which email client you are using.

Strike one up for Thunderbird :)

Tuesday, 15 May 2007

New download urls.... Go

It's been a busy couple of weeks, not only does there seem to have been a huge increase in the number of new phishing emails but also an increase in the number of problem scams.

It's been hard to keep up at times!

The main news is the new download urls, which are:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

The above two links will now re-direct, round-robin style, to the new mirrors that people have "donated" in order to help the project.

A huge thanks to the mirror providers, Christopher X. Candreva for the .htaccess code/idea and tbb (Nico) for pointing me torward the round-robin script...in order to make this all work.

Thanks guys!

More image spam... sort of...

We also got hit this morning with another slight varient of the German stock spam. This time, there isn't any image in the email. I'm guessing this is to avoid programs like FuzzyOCR, which are helping to detect the images in the email.

This simple "trick" is to use the free picture gallery sites to host their images.

The email you receive is a bit like this:










If you do actually click on the link, you get this standard "scrambled" image:





















The question is... how do the spammers setup soo many random accounts on these free hosting servers before their spam runs and what can the picture hosting companies do about it?

Image Stock Spam...arrrggghh

Wow... we got hit hard this morning with a new type of German Image stock spam.

Here's a picture for those people who were luckly enough to miss this:

Sunday, 13 May 2007

Fake Halifax Bank

Here's a pretty convincing Halifax Bank phish... in fact, it's just a copy/paste job from a geninue Halifax email, with just the target url changed to point to the phishers site:




















Look at the bottom link... see the .co.kr (Korea)

Fake Google webmaster tool

Bit late with this post... but seems Google's name is being as a ploy to download sometype of malware:





















Yep, it's a fake!

new rockfish type?

Hi All,

Not quite sure if this is a new type of phish using a new template... or the rockfish toolkit has been updated, here's an example:
















These will be detected as a new type: Phishing.Bank.Rockv2Gen

Saturday, 5 May 2007

Marks and Spencer laptop theft

It doesn't seem like they've heard of TrueCrypt or perhaps they should start using Seagate drives like this:

"More than 20,000 staff at Marks & Spencer have been told they may be at risk of identity crime after a laptop computer was stolen, it has been reported.

The retailer has written to 26,000 present employees in its final salary pension scheme warning they are at risk if the data is accessed by criminals.

BBC Radio 4 said salary details, addresses, dates of birth, national insurance and phone numbers were on the machine, which was stolen from a printing firm."

Source: http://www.channel4.com/news/articles/uk/laptop+theft+risk+to+ms+staff+ids/499687#fold


Sanesecurity Sigs: Important News

Due to me nearly running out of bandwidth last month (17gb out of a 20gb host package), some urgent changes were needed to the signature hosting,otherwise I'd start getting charged for the extra bandwidth  :( 

So, to keep this short, here's a to-do list ;)

One: Mirrors

Three new mirrors are now available, in preferred order:

Mirror 1: A huge thanks to http://dotsrc.org/ (formerly known as SunSITE.dk) as they are now a mirror for my signatures, hourly updating from the main site.

Mirror 2: Thanks to http://tiscali.nl, as they seem to be a mirror for my signatures, hourly updating from the main site

Mirror 3: Thanks to a special offer deal from Surpass Hosting, I setup a sanesecurity.co.uk domain, to try and ease the load from the main sanesecurity.com site.

So, please could you all change your download scripts to download from the above mirrors, not only will this help avoid me getting hit with hosting charges but you benefit as you should be able to increase the frequency you check for download changes.

The new download Links have been updated on the download page and so have the scripts:

http://sanesecurity.co.uk/clamav/downloads.htm
http://sanesecurity.co.uk/clamav/usage.htm

Two: check your download scripts

Please could everyone check that their scripts are only grabbing the signatures when they have changed. Some users have been downloading the sigs regardless of any changes and it's not really helping. While other users have made mistakes with their scripts/cron jobs and are trying to download every minute :(

That's it and thanks for everyone's understanding!

Cheers,

Steve

Fake IE7 update

Well, it looks like a new spam run of the fake IE7 beta is now going around again, this is currently being detected as: Email.Malware.Sanesecurity.07050500

As you can see there's a link to an exe file, when you hovver your mouse over the picture:


























The exe in question is another Trojan: TR/Proxy/Agent.CL

Friday, 4 May 2007

Trust No One: MS Needs Your Credit Card Details

Trojan.Kardphisher creates a genuine looking Microsoft Activation screen, the next time your pc re-boots... it asks you for your credit card details as part of the fake Activation!

Very crafty...

"This Trojan teaches us all a good lesson - Trust No One. This is the slogan from the TV show The X-Files, and very much applies when it comes to protecting your personal information. Sometimes the creators of Trojans attempt to impersonate Microsoft, a bank, or even a government organization. Whatever the warning or message says, we must make very sure it is genuine before giving up any personal details, financial or otherwise. It's far better to doubt a genuine request until proper verification is provided, than it is to blindly place your trust in a communique simply because it appears to have come from a trusted source.

Sad though it may be, the days of leaving your front door unlocked are over. In these times we not only need a lock on the door, we need a security guard watching the front door, the back door, and everywhere in between."

Source:
http://www.symantec.com/enterprise/security_response/weblog/2007/05/ms_needs_your_credit_card_deta.html

Hackers target wi-fi hotspots in new phishing attack

Anyone who uses "free"/"open"/un-encrypted wi-fi access, should read this:

"Computer users have been warned of the dangers of using wi-fi hotspots after it emerged that cyber-criminals are targeting the networks in café chains including Starbucks.

Times Online has uncovered evidence that criminals are using a technique known as an 'evil twin attack', where victims think that they are logging on to the genuine network in a café but are in fact being diverted to a 'rogue' connection.

Once logged on to the twin network, the victim's every keystroke is captured by the fraudster, who controls the connection from a nearby laptop and uses it to extract information for the purpose of committing identity fraud."

Surce: http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article1728634.ece

new phishing idea...

Here's a slightly new idea... instead of asking you to type in any of your bank details, the phishers are asking you to scan in your important details and then email the details instead.

I'm guessing they don't really care what format you send the infomation in, eg: pdf/tiff etc. as long as it contains all your details... needless to say... dont!

Another post card

Seems postcards are still being sent out to people... here's another example:











And here's what you get... if you did decide to click on the link:

Thursday, 3 May 2007

Watch those url spellings...

Hi,

I've seen various PayPal phishing emails today, all the same... except that the phisher decided to change the url after each "phishing run".

So, here's the first part of the url for each of the three "types":

http://paymant-response
http://peyment-resposse
http://payment-resspons

Obviously they are trying to fool your brain into thinking http://payment-responce but in reality the spelling is wrong.

Tuesday, 1 May 2007

boclean saves the day

While seaching for a free ftp client, as for some reason I'd forgotten about FileZilla, I came across this nice looking site (don't try and download the filename in this picture):












I scanned the exe file with AVG and, as I was in a rush,
ran the exe file to install the free ftp client.

This is what happened next:












That's right... AVG missed it... but BoClean popped up saying that it had detected a nasty in the file... just before it started to do really horrible stuff to my system!

Hurrah for this once commercial but now free malware program!

Out of interest, I scanned the free ftp with once of the multi-av scanning sites, with the following results:













Yep... as you can see, not many of the AV's detected it... so mega full marks to BoClean

Update: ISC also did a write up of the information I sent to them!